Exam Objectives Frequently Asked Questions | MCSE Designing Security for a Windows Server 2003 Network: Exam 70-298

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the Exam Objectives presented in this chapter, and to assist you with real-life implementation of these concepts. You will also gain access to thousands of other FAQs at ITFAQnet.com.

1.	I am setting up a multiforest Windows Server 2003 network for two law firms that are in the process of merging. The first firm is located in Baltimore, Maryland, the second in Raleigh-Durham, North Carolina. I want to create a two-way forest trust between these networks, but each firm s servers are located behind a stringent firewall. Which ports do I need to enable on the firewall to allow the trust relationship to exist?
2.	I have a department within my organization that requires access to resources on a third-party vendor s Windows 2000 network. This department would like to make its internal resources available to the vendor as well. This is a single department within a large organization. Do I have any way to prevent this vendor from having access to my entire forest?
3.	What are some best practices to protect my network and staff against social engineering attacks?
4.	What happens to Windows NT trust relationships when you upgrade to Windows Server 2003?

Answers

1.	For a two-way trust, you need to enable LDAP (TCP and UDP ports 389). You also need to enable Microsoft s SMB protocol (UDP Port 445), the endpoint resolution portmapper (TCP port 135), and Kerberos, which operates on UDP port 88. If you were creating only a one-way outgoing trust, you would not need to enable the Kerberos port.
2.	Use Selective Authentication to restrict the resources to which the external vendor has access. You will then need to manually enable permissions on the local domain and on the resources that you want users in the external domain to have access to.
3.	Make sure that your users and administrators are aware of some of the indicators of social engineering attacks, such as requests to do something that would be in violation of your company s security policy, or someone using a friendship or a personal relationship to get someone to do something that violates security policies. Your staff should also be wary of any unusual network requests, especially if they supposedly need to be carried out right away.
4.	When you upgrade a Windows NT domain to a Windows Server 2003 domain, all your existing Windows NT trusts are preserved as is. Remember that trust relationships between Windows Server 2003 domains and Windows NT domains are nontransitive.